Category Archives: Information- and IT-Security

During the Tallinn Digital Summit 2018, I participated in a breakout session on Safty and Security in the age of artificial intelligencealong with four ministers and three other specialists in the area. Below is what I highlighted:

I have recently worked on a number of implementations of cyber security laws in organisations. I would like to briefly explain the need for a legal foundation that enforce safe development of AI systems and, above all, the need for it to be in line with previous cyber security legislation and methods.

Within corporations and other organisations, current risk management regarding IT systems is primarily based on two different points of view. The first is the risks regarding the organisation itself which needs to be managed in order to securely continue with operations. The second is the individual perspective which is regulated by privacy laws, like for example the Data Protection Act. Here, the risks and potential repercussions of mismanagement of personal data are analysed. Within organisations that handle a large amount of sensitive personal information and within government bodies, current legislation requires an independent Data Protection Officer who ensures compliance with existing legal requirements.

From a societal point of view, we have a different legislation which focuses on activities of importance to Europe for example. An example of this is the NIS-Directive which aims to ensure the reliability and security of network and information services which are essential to everyday activities.

The problem is that currently we lack a comprehensive legal framework to protect society – and the rest of the world – against organisations which are irresponsible in their development of artificial intelligence. Furthermore, there are no acknowledged standards, methods or indeed precedents within the area. As a result, as long as the integrity of the management of personal data is maintained, there are currently no restrictions, other than ethical, on any irresponsible development of artificial intelligence.

To manage the gap between regulation and the capability of the new systems, it will be essential to introduce processes within the organisations which focus on the management of risks associated with artificial intelligence. However, there is no need to reinvent the wheel. Current cyber security methods and guidelines can be complemented by our current knowledge of research within artificial intelligence. Notably, potential risks are far more wide-ranging than cybersecurity and have a large impact on fairness, ethics, transparency and accountability.

To manage these risks, I have four suggestions:

The first is to define the fundamental principles that should guide the development of artificial systems from a security, fairness, ethics, transparency and accountability point of view.

The second is to legislate against the irresponsible development of artificial intelligence. This legislation can be similar to the Data Protection Act, but with a focus on the protection of society as opposed to the protection of the individual.

The third is to define a model for the safe development of artificial systems which the legislation can refer to. Such a model could be used to determine whether right tests have been performed and to ensure that correct principles for system architecture and design have been adhered to. I really want to emphasize that such a model should not deviate from but rather complement existing models and processes for secure development like for example Microsoft’s Security Development Lifecycle or Privacy by Design. Any large deviation from existing frameworks may not only jeopardise the ability of the organisations to implement them but may also be prohibitively expensive.

The fourth is that developers of artificial intelligence systems need to have a process for independent verification. An example could be an independent representative who verifies that the organisation complies with the legislation, an AI Protection Officer with a similar position as the current Data Protection Officer.

Finally, I want to re-emphasise that all legislation within the area must mirror existing legislation and methods for secure development. Otherwise we will not get the results we are aiming for.

Åsa Schwarz

The breakout session Safety and security in the age of artificall intelligence had the following participators:

You may now read my thriller short story CENTR, dealing with the power over the Internet. This is a short story, a work of fiction, but it was inspired by one of the most burning questions in the history of the Internet, today more burning than ever.

The United States of America has agreed to release control of ICANN, which handles the address register of all top domains. In other words, the address register is for example needed for directing internet traffic to the right country. In order to release control, the United States of America has posed certain conditions, to be fulfilled before September 2015. The question is… what happens if these conditions are not fulfilled?

I wrote the short story in the spring of 2015, on commission from .SE, in order for it to be mailed to the members of Centr, the European organisation for top domains, before a conference at Sheraton Stockholm Hotel, 1st – 3d of June, 2015.
I own the copyright and the short story might be distributed freely, provided that no changes are made.

Knowit is strengthening its venture in IT and information security. For this reason, Åsa Schwarz has been employed as sales manager of Knowit’s specialist company in the field, Knowit Secure. Her task is to position Knowit as the leading supplier of outsourced security.

– The demand for IT and information security is growing, as the situation for all companies becoming more complex, with outsourcing, cloud services and social media. At the same time, cybercrime is becoming more organized and goal-oriented, says Åsa Schwarz.

Knowit is growing quickly in the area. In one and a half years, Knowit Secure has gone from zero to twenty-five employees. The goal is to have thirty employees by the end of the year.

– Our goal is to become the Swedish leaders in the field. Åsa will help us on the way, with her unique competence in security, marketing and sales, says Tomas Rimming, CEO at Knowit Secure.

– Knowit has already become one of the sharpest security consultants, says Åsa Schwarz. It will be fun to see what we can achieve together in the future.

Åsa Schwarz has long experience of IT security and has founded both business fields and companies in the area. She also works as a columnist for Computer Sweden and has published four works of fiction, translated into seventeen languages.

The year was 2009. The warning lights were blinking. The clouds were approaching. Unsure, immature, hyped, and with a seductive price tag. A customer commissioned me to make a check list of services that could be placed in the cloud. The answer was simple: any services, as long as they are not connected to the rest of one’s infrastructure and don’t contain sensitive information. I hope you never need to retrieve the information. Curtain-fall.

The year is 2013. The price tag is still seductive, but the situation is different. The market is maturing. The larger suppliers are listening to their customers. Although contracts are standardised, they are premised on the customer being a professional purchaser. Now one has to make the right choice, not abstain from buying. The pitfalls are many, but the rewards are lower prices, flexibility, and in some cases higher security.

Personal information has been a major obstacle for cloud giants. Therefore a construction called Safe Harbor has now been implemented, meaning that American companies pledge to abide by European legislation. This pertains not only to one’s personal information – all one’s information is accessible only in countries with reasonable legislation. However, Patriot Act and FISAA trump Safe Harbor, which is mportant for Swedish public authorities to keep in mind.

Integration with the rest of one’s infrastructure has been another problem. Nowadays, however, one might connect cloud services to the existing Active Directory and the transition is invisible to users through a single Sign On. Naturally, this has to be done in a secure way. Both outsorcing and cloud suppliers are often ISO 27001 certified. Keep in mind that the certificate does not always pertain to outsorced activities. As pertains to cloud suppliers, the services as such are certified.

Don’t misunderstand me. I am not advocating placing everything in the cloud. There are lots of things to keep in mind. Cloud Security Alliance will help you with risk information, control lists, and so forth. We should, however, ask ourselves why whole IT enterprises are to be outsorced if, in some cases, it is both more secure and cheaper to make use of clearly demarcated cloud services.